Apress Introducing dot NET 4 0 with Visual Studio 2010_1 pot

CHAPTER 3 LANGUAGE AND DYNAMIC CHANGES public class TestClass } // end of method Program::Main However, if we alter our t variable to the following: dynamic t = new TestClass; Whoa, wh

CHAPTER 3
LANGUAGE AND DYNAMIC CHANGES

public class TestClass

} // end of method Program::Main

However, if we alter our t variable to the following:

dynamic t = new TestClass();

Whoa, what is happening here? Well the short answer is that calls to dynamic methods are sent to

the Dynamic Language Runtime for resolution It is time to take a look into how the DLR works

Dynamic Language Runtime (DLR)

The Dynamic Language Runtime (DLR) is behind all the cool dynamic functionality and sits just above the core NET framework The DLR’s job is basically to resolve calls to dynamic objects, cache dynamic calls making them as quick as possible, and enable interaction between languages by using a common format The DLR has actually been around a while, and was included in earlier versions of Silverlight You can even view the source code behind the DLR at: http://dlr.codeplex.com Note that this version contains a number of features not present in the framework version

When discussing the DLR we need to understand five main concepts:

• Expression trees/Abstract Syntax Trees (AST)

• Dynamic Dispatch

• Binders

• IDynamicObject

• Call Site Caching

Expression/Abstract Syntax Trees (AST)

Expression trees are a way of representing code in a tree structure (if you have done any work with LINQ, you may have come across this before with the Expression class) All languages that work with the DLR represent code in the same structure allowing interoperability

Dynamic Dispatch

Dynamic Dispatch is the air traffic control center of the DLR, and is responsible for working out what to

do with dynamic objects and operations and sending them to the appropriate binder that takes care of the details

Binders

Binders resolve classes from dynamic dispatch .NET 4.0 currently supports the following binder types:

• Object Binder NET (uses Reflection and resolved our earlier example to type string)

• JavaScript binder (IDynamicObject)

• IronPython binder (IDynamicObject)

• IronRuby binder (IDynamicObject)

• COM binder (IDispatch)

Note that dynamic objects can resolve calls themselves without the DLR’s assistance (if they implement IDynamicObject), and this method will always be used first over the DLR’s dynamic dispatch mechanism

CHAPTER 3
LANGUAGE AND DYNAMIC CHANGES

IDynamicObject

Sometimes you will want objects to carry out resolution themselves, and it is for this purpose the

IDynamicObject exists Normally dynamic objects are processed according to type, but if they implement the IDynamicObject interface then the object will resolve calls itself IDynamicObject is used in IronRuby and IronPython

Callsite Caching

Resolving objects is an expensive operation, so the DLR caches dynamic operations When a dynamic

function or operation is performed, the DLR checks to see if it has been called already (Level 0 cache) If

it hasn’t, then the 10 most recently used dynamic methods for this callsite will be checked (Level 1

cache) A cache is also maintained across all target sites with the same binder object (Level 2 cache)

useful step for creating language-specific tools.)

2 The IronPython AST is then mapped to the generic DLR specific AST

3 The DLR then works with the generic AST

For a detailed look at how this works with Iron Python please refer to: http://msdn.microsoft.com/ en-us/magazine/cc163344.aspx

As all languages end up being compiled into the same common AST structure, it is then possible for interaction between them

Embedding Dynamic Languages

One use of dynamic languages that really excites me is the ability to embed them within your C# and

VB.NET applications One possible use would be to use them to define complex business rules and logic

Dynamic languages are often utilized in computer game construction to script scenarios and logic (such as how Civilization IV utilizes Python) Let’s take a look at how to work with IronPython in a C# application

Calling IronPython from NET

The following example passes a value into a simple IronPython script from C# Note that you should

have installed IronPython from http://ironpython.codeplex.com/ Now add a reference to

IronPython.dll and Microsoft.Scripting.dll (at the time of writing these don’t show up on the main

Add Reference window but are located at C:\Program Files (x86)\IronPython 2.6)

ScriptEngine pythonEngine = Python.CreateEngine();

ScriptScope scope = pythonEngine.CreateScope();

string script = @"print ""Hello "" + message";

scope.SetVariable("message", "world!");

ScriptSource source =

scope.Engine.CreateScriptSourceFromString(script, SourceCodeKind.Statements); source.Execute(scope);

Console.ReadKey();

}

}

}

IronPython is already in use in two real-world applications, so let’s take a look at these now

Red Gate Reflector Add-In

Many of you will be familiar with the tool Reflector (www.red-gate.com/products/reflector/) Reflector allows you to explore an assembly and view the IL code within it C# MVP Ben Hall developed an add-in (Methodist) to Reflector that allows you to actually call the classes and methods within the type you are exploring using Iron Python For more information please consult: http://mail.simple-talk.com/ dotnet/.net-tools/methodist-make-.net-reflector-come-alive-with-ironpython/

ResolverOne

One of the best know uses of IronPython is for ResolverOne (http://www.resolversystems.com)

ResolverOne is an application that allows you to work with Excel’s objects using IronPython See Figure 3-3

CHAPTER 3
LANGUAGE AND DYNAMIC CHANGES

Figure 3-3 ResolverOne application

One of the developers on ResolverOne was Michael Foord, who is author of IronPython in Action

(Manning Publications, 2009) I spoke to Michael about his experiences with working with embedding

dynamic languages and IronPython

Michael Foord

Why should VB.NET/C# developers be interested in IronPython?

Much of the discussion here applies to other dynamic languages, including IronRuby, but Python is my particular area of expertise

IronPython is a NET implementation of the popular open source programming language Python Python is an expressive language that is easy to learn and supports several different programming styles, including interactive, scripting, procedural, functional, object-oriented, and metaprogramming But

what can you do with IronPython that isn’t already easy with your existing tools?

The first entry in the list of programming styles is “interactive.” The IronPython distribution

includes ipy.exe, the executable for running scripts or programs that also doubles as an interactive

interpreter When you run ipy.exe, you can enter Python code that is evaluated immediately and the

result returned It is a powerful tool for exploring assemblies and learning how to use new frameworks

and classes by working with live objects

The second reason to use IronPython is also the second programming style in the list: scripting

Python makes an excellent tool for generating XML from templates, automating build tasks, and a host

One of the big use cases for IronPython is for embedding in applications Potential uses include user scripting, adding a live console for debugging, creating domain-specific languages (DSLs) where rules can be added or modified at runtime, or even building hybrid applications using several languages Python has several features, such as the ability to customize attribute access, that make it particularly suited to the creation of lightweight DSLs IronPython has been designed with these uses in mind and has a straightforward hosting API

There are many areas where dynamic languages are fundamentally different from statically typed languages, a topic that rouses strong opinions Here are a few features of IronPython that make it easy to develop with:

• No type declarations

• First class and higher order functions

• No need for generics; it uses flexible container types instead

• Protocols and duck-typing instead of compiler enforced interfaces

• First class types and namespaces that can be modified at runtime

• Easier to test than statically typed languages

• Easy introspection (reflection without the pain)

• Problems like covariance, contravariance and casting just disappear

The best way to learn how to get the best from IronPython is my book IronPython in Action I've also

written a series of articles aimed at NET developers to help get you started, including

• Introduction to IronPython (http://www.voidspace.org.uk/ironpython/

What does Resolver One’s Python interface provide that VBA couldn’t?

The calculation model for Resolver One is very different from Excel The data and formulae you enter in the grid is translated into an interpreted language and you put your own code into the flow of the spreadsheet, working on the exact same object model that your formulae do

Having the programming model at the heart of Resolver One was always the core idea When development started, the two developers (a few months before I joined Resolver Systems) evaluated interpreted languages available for NET When they tried IronPython they made three important discoveries:

• Although neither of them was familiar with Python, it was an elegant and expressive

language that was easy to learn

• The NET integration of IronPython was superb In fact, it seemed that everything

they needed to develop Resolver One was accessible from IronPython

• As a dynamic language, Python was orders of magnitude easier to test than

languages they had worked with previously This particularly suited the test-driven

approach they were using

CHAPTER 3
LANGUAGE AND DYNAMIC CHANGES

So the main advantage of Resolver One is that programmability is right at the heart of the

spreadsheet model IronPython is generally regarded as being a much “nicer” language than VBA

Python is a dynamically typed, cross-platform, open source, object-oriented, high-level programming

language Python was first released publicly in 1991, making it older than C#, and is widely used in many different fields

What do you think of the new dynamic features in NET?

They’re great, particularly for interoperating between C# and DLR-based languages The dynamic

features make this much easier

The dynamic keyword also makes creating fluent APIs possible (like the way you access the DOM

using the document object in Javascript) This is particularly useful for DSLs

Duck typing is one of the features of dynamic languages that simplify architecture I doubt that the dynamic keyword, will be used much for this however, as it doesn’t gel well with the way most NET

developers use traditional NET languages

Apart from your book (obviously), any recommended reading on Python or dynamic languages?

The Python tutorial and documentation is pretty good Unsurprisingly they can be found from the

Python website at http://www.python.org/ There is an interactive online version of the Python tutorial created with IronPython and Silverlight at: http://www.trypython.org/

For learning IronPython there is an excellent community resource called the IronPython Cookbook: http://www.ironpython.info/

For more general Python resources I recommend Dive into Python and the Python Essential

Reference

F#

F# is a functional programming language for the NET framework that was previously available as a

separate download to Visual Studio but now comes included in VS2010 Some developers feel that

functional languages such as F# can enable you to work in a more intuitive way (particularly for those

with a mathematical background), and are very good at manipulating sets of data and for solving

mathematical and scientific problems

Interest in functional languages is increasing due to their absence of side effects (where an

application modifies state as well as returning a value) The lack of side effects is vital in multithreaded and parallelized applications (see Chapter 5) Note that F# is not as strict as some functional languages and allows the creation of non-functional constructs, such as local variables

So should you rush out and learn F#? Well it’s not going to take over C# or VB.NET for developing

line of business applications, but it is worth noting that functional languages have been influencing the development of C# and VB An example is the recent addition of traditionally functional features, such as lambda expressions

However, I do believe that looking at other languages can help make you a better programmer (I’m currently looking into Python) At a DevEvening user group presentation, Jon Skeet suggested to us that functional languages may help you become a better developer by getting you to think about a problem

Jon Skeet

For those developers who really want to delve into the details of a language, I don’t think you can do

much better than read Jon Skeet’s C# In Depth (Manning Publications, 2008) A revised version for NET

4.0 is currently on its way (http://csharpindepth.com/)

I spoke to Jon about his thoughts on C# 2010

What Do You See as the Top Feature(s) in C#2010, and Why?

Named arguments and optional parameters, without a doubt (That sounds like two features, but they naturally come together.) It's a small feature, but it’s likely to be the most widely used one Two of the others (better COM support and dynamic typing) are only likely to be used by a minority of developers, and while generic variance is useful and interesting, it’s more of a matter of removing a previous inconvenience than really introducing something new

Admittedly, to fully take advantage of optional parameters, you have to be confident that all your callers will be using a language supporting them For example, suppose you wanted to write a method with five parameters, three of them optional Previously you may have used several overloads to avoid forcing callers to specify arguments for parameters where they’re happy with the default Now, if you

don't care about (say) C#2008 callers, you can just provide a single method But that would force any

C#2008 callers to specify all the arguments explicitly

The biggest potential use I see for the feature is immutability C#2008 made it easy to create

instances of mutable types using object initializers, but provided no extra support for immutable types

Now with named arguments and optional parameters, it’s a lot easier For example, take the

initialization of a mutable type:

Person p = new Person {

Name = "Jon",

Occupation = "Software Engineer",

Location = "UK"

};

This can be converted into initialization of an immutable type without losing the benefits of

optional data and explicitly specifying which value means what:

Person p = new Person (

Well, dynamic typing is going to be really useful when you need it, but should generally be avoided

otherwise, in my view It’s great for interoperability with dynamic languages via the DLR, some

additional COM support, and occasional cases where you would otherwise use Reflection But C# is

basically a statically typed language It isn’t designed for dynamic typing If you want to use dynamic

typing widely throughout a program, write it in a dynamic language to start with You can always use the DLR to work with C# code as well, of course

CHAPTER 3
LANGUAGE AND DYNAMIC CHANGES

What Would You Like to See in the Next Version of C#?

More support for immutability For example, readonly automatic properties would be a simple but really helpful feature:

public string Name { get; readonly set; }

That would be backed by a readonly field behind the scenes, and the property could only be set in the constructor (where the assignment would be converted into simple field assignment) Beyond that,

the ability to declare that a type is meant to be immutable, with additional compiler support and

checking, would be great But that's a bigger request

If Code Contracts takes off, it would also be nice to embed the simplest contract, non-nullity, into

the language, in the way that Spec# did For example, instead of:

public string Convert(string input)

you could just write:

public string! Convert(string! input)

{

// Do processing here

}

The handling of non-nullable local variables could be tricky, but there are smart people at

Microsoft I'm sure they could figure something out

Admittedly I’m wary of anything that links the language too closely to specific libraries, but this

would be a really nice win in terms of readability

These may all sound like I’m lacking in ambition After all, there are bigger ideas on the table such as metaprogramming But I’m really keen on small, simple changes that make a big difference I generally need to be persuaded more when it comes to large changes The ones we’ve already had in C# have been very well designed, and I’m pleased with them But the language is getting really pretty big now, and I

think we need to make sure it doesn't become simply too hard to learn from scratch

Future of C#

At the 2008 PDC Anders Hejlsberg noted that many developers were creating programs that created

programs (meta programming) Anders considered it would be useful to expose compiler methods to

developers to give them complete control over compilation In a future version of NET the compiler will

be written in managed code and certain functions made accessible to the developer Anders then

demonstrated an example of this by showing a REPL (Read Evaluate Print Loop) C# application

C H A P T E R 4

CLR and BCL Changes

Availability: Framework 4

In this chapter you will look at the changes to the common language runtime (CLR) in NET 4.0 that

cover changes to security, garbage collection, threading, and internationalization You will then look

into the new types introduced in NET 4.0 and the enhancements that have been made to existing

classes You will finish the chapter by looking at code contracts a great new feature allowing you to

express assumptions and constraints within your code

New CLR

The last two releases of.NET (3.0 and 3.5) have been additive releases building on top of the functionality available in CLR version 2.0 (see Figure 4-1)

Figure 4-1 CLR releases

.NET 4.0 however has a new version of the CLR! So you can happily install NET 4.0 without fear that

it will affect your existing NET applications running on previous versions of the framework

ASP.NET

When using IIS7, the CLR version is determined by the application pool settings Thus you should be able to run NET 4.0 ASP.NET applications side by side without fear of affecting existing ASP.NET sites

What Version of the CLR Does My Application Use?

It depends; applications compiled for earlier versions of the framework will as before use the same version they were built on if it's installed If, however, the previous framework version is not available, the user will now be offered a choice about whether to download the version of the framework the application was built with or whether to run using the latest version Prior to NET 4.0, the user wouldn’t

be given this choice with the application using the latest version available

Specifying the Framework to Use

Since almost the beginning of NET (well, NET Framework 1.1), you can specify the version your application needs to use in the App.config file (previously as requiredRuntime):

CHAPTER 4
CLR AND BCL CHANGES

Figure 4-2 Dialog showing application targeted for version 1 of the framework

VB.NET Command-Line Compiler

The compiler has a new /langversion switch option that allows you to tell the compiler to use a

particular framework version It currently accepts parameters 9, 9.0, 10, and 10.0

vbc /langversion:9.0 skynet.vb

Improved Client Profile

Client profile is a lean, reduced-functionality version of the full NET Framework that was first

introduced in NET 3.5SP1 Functionality that isn’t often needed is removed from the client profile This results in a smaller download and reduced installation time for users At the time of writing, Microsoft

has reduced the size of the client profile to around 34 MB, although it intends to minimize it even further for the final release

The NET 4.0 client profile is supported by all environments that support the full NET Framework and is redistributable (rather than web download only) and contains improvements to add/remove

program entries, unlike the version available in NET 3.5SP1

To use the client profile in your application, open the project Properties page, select the Application tab, and on the Target framework drop-down menu select NET Framework 4.0 Client Profile (as shown

in Figure 4-3) Note that in VB.NET, this option is in the CompileAdvanced Compile Options tab

Client profile is the default target framework option in many VS2010 project types such as Windows Forms and Console This is important to remember because sometimes you will need functionality not available in the client profile and be confused as to why various options are not available in the Add

Reference menu

For more information about client profile, please consult http://blogs.msdn.com/jgoldb/archive/ 2009/05/27/net-framework-4-client-profile-introduction.aspx

Figure 4-3 Selecting client profile option

In-Process Side-by-Side Execution

Prior to NET 4.0, COM components would always run using the latest version of the NET Framework installed by the user This could cause some issues, for example at some of the PDC08 presentations Microsoft cites an Outlook add-in that contained a thread variable initialization bug The add-in worked correctly in NET 1.0, but after the clever guys in the CLR team made performance improvements to the threading pool in NET 1.1, the add-in left many Microsoft executives unable to read their e-mail (some cynics argued that little productivity was lost)

Obviously you want to fix this bug, but it is vital to know that your application will run in the same manner as when you tested it In-process side-by-side execution ensures that COM components run using the version of the framework they were developed for

Prior to NET 4.0, COM components would run using the latest version of the NET Framework installed You can now force COM components to use a specific framework version by adding the supportedRuntime section to App.config:

CHAPTER 4
CLR AND BCL CHANGES

You can also force components to use the latest version of the NET Framework with the following configuration:

Developers creating NET components should note that their libraries will always run using the

same framework version of the app domain they are running in if loading through a reference or call to Assembly.Load() For example, libraries built in a previous version of NET used in an application

upgraded to NET 4.0 will run using NET 4.0 This might not be the case for unmanaged code, however

Garbage Collection

Garbage collection is something you rarely have to worry about in our nice managed world, so before

you look at what has changed in NET 4.0, let’s quickly recap how GC currently works to put the new

changes in context

Garbage Collection Prior to NET 4.0

As you probably know, the CLR allocates memory for your applications as they require it and assumes an infinite amount of memory is available (you wish) This is a mad assumption, so a process called the

garbage collector (GC) is needed in order to clean up unused resources The GC keeps an eye on

available memory resources and will perform a cleanup in three situations:

• When a threshold is exceeded

• When a user specifically calls the garbage collector

• When a low system memory condition occurs

To make this as efficient as possible, the GC divides items to be collected into “generations.” When

an item is first created, it is considered a generation 0 item (gen 0), and if it survives subsequent

collections (it is still in use), it is promoted to a later generation: generation 1 and later generation 2

This division allows the garbage collector to be more efficient in the removal and reallocation of

memory For example, generation 0 items mainly consist of instance variables that can be quickly

removed (freeing resources earlier) while the older generations contain objects such as global variables that will probably stick around for the lifetime of your application On the whole, the GC works very well and saves you writing lots of tedious cleanup code to release memory

The GC operates in a number of modes: workstation, concurrent workstation (default for multicore machines), and server These modes are optimized for different scenarios For example, workstation is the default mode and is optimized for ensuring that your applications have a quick response time

(important for UI-based applications) while server mode is optimized for throughput of work (generally more important for server type applications) Server mode does pause all other managed threads during

Garbage Collection in NET 4.0

So what’s changed then? Prior to NET 4.0, a concurrent workstation GC could do most but not all of a generation 0 and 1 collection at the same time as a generation 2 collection The GC was also unable to start another collection when it was in the middle of a collection which meant that only memory in the current segment could be reallocated

In NET 4.0, however, concurrent workstation GC collection is replaced by background garbage

collection The simple explanation (and GC gets very complex) is that background garbage collection

allows another GC (gen 0 and 1) to start at the same time as an existing full GC (gen 0, 1, and 2) is

running, reducing the time full garbage collections take This means that resources are freed earlier and that a new memory segment could be created for allocation if the current segment is full up

Background collection is not something you have to worry about
it just happens and will make your applications perform more quickly and be more efficient, so it’s yet another good reason to

upgrade your existing applications to NET 4.0

Background collection is not available in server mode GC, although the CLR team has stated they are aiming to achieve this in the next version of the framework The GC team has also done work to ensure that garbage collection works effectively on up to 128 core machines and improved the GC’s efficiency, reducing the time needed to suspend managed threads

For more information and a detailed interview with the GC team, please refer to http://blogs.msdn com/ukadc/archive/2009/10/13/background-and-foreground-gc-in-net-4.aspx and http://channel9 msdn.com/shows/Going+Deep/Maoni-Stephens-and-Andrew-Pardoe-CLR-4-Inside-Background-GC/

GC.RegisterForFullGCNotification()

It is worth noting that from NET 3.5SP1, the CLR has a method called GC.RegisterForFullGCNotification() that lets you know when a generation 2 or large heap object collection occurs in your applications You might want to use this information to route users to a different server until the collection is complete, for example

Threading

Threading has been tweaked in NET 4.0, with the thread pool switching to a lock-free data structure (apparently the queue used for work items is very similar to ConcurrentQueue) This new structure is more GC-friendly, faster, and more efficient

Prior to NET 4.0, the thread pool didn’t have any information about the context in which the threads were created, which made it difficult to optimize (for example, whether one thread depends on another) This situation changes in NET 4.0 with a new class called Task that provide more information

to the thread pool about the work to be performed thus allowing it to make better optimizations Tasks and other parallel and threading changes are covered in detail in Chapter 5

Globalization

Globalization is becoming increasingly important in application development The NET 4.0 Framework now supports a minimum of 354 cultures (compared with 203 in previous releases
now with new support for Eskimos/Inuits
and a whole lot more)

A huge amount of localization information is compiled into the NET Framework The main

problem is that the NET Framework doesn’t get updated that often, and native code doesn’t use the same localization info

This changes in NET 4.0 for Windows 7 users because globalization information is read directly from the operating system rather than the framework This is a good move because it presents a

CHAPTER 4
CLR AND BCL CHANGES

consistent approach across managed/unmanaged applications For users not lucky enough to be using Windows 7 (it’s good; you should upgrade), globalization information will be read from the framework itself as per usual Note that Windows Server 2008 will still use the localized NET 4.0 store

Globalization Changes in NET 4.0

There have been a huge number of globalization changes; many of them will affect only a minority of

users For a full list, please refer to http://msdn.microsoft.com/en-us/netframework/dd890508.aspx

I do want to draw your attention to some of the changes in NET 4.0:

• Neutral culture properties will return values from the specific culture that is most

dominant for that neutral culture

• Neutral replacement cultures created by NET 2.0 will not load in NET 4.0

• Resource Manager will now refer to the user’s preferred UI language instead of that

specified in the CurrentUICultures parent chain

• Ability to opt in to previous framework versions’ globalization-sorting capabilities

• zh-HK_stroke, ja-JP_unicod, and ko-KR_unicod alternate sort locales removed

• Compliance with Unicode standard 5.1 (addition of about 1400 characters)

• Support added for following scripts: Sundanese, Lepcha, Ol Chiki, Vai, Saurashtra,

Kayah Li, Rejang, and Cham

• Some cultures display names changed to follow naming convention guidelines:

(Chinese, Tibetan (PRC), French (Monaco), Tamazight (Latin, Algeria), and Spanish

(Spain, International Sort)

• Parent chain of Chinese cultures now includes root Chinese culture

• Arabic locale calendar data updated

• Culture types WindowsOnlyCultures and FrameworkCultures now obsolete

• CompareInfo.ToString()() and TextInfo.ToString()() will not return locale IDs

because Microsoft wants to reduce this usage

• Miscellaneous updates to globalization properties such as currency, date and time

formats, and number formatting

• Miscellaneous updates to globalization properties such as currency, date and time

formats, and number formatting

TimeSpan Globalized Formatting and Parsing

TimeSpan now has new overloaded versions of ToString()(), Parse()(), TryParse()(), ParseExact()(), and TryParseExact()() to support cultural sensitive formatting Previously, TimeSpan’s ToString()

method would ignore cultural settings on an Arabic machine, for example

Security

In previous releases of NET, the actions code could perform could be controlled using Code Access Security (CAS) policies Although CAS undoubtedly offered much flexibility, it could be confusing to use and didn’t apply to unmanaged code In NET 4.0, security is much simpler

Transparency Model

The transparency model divides code into safe, unsafe, and maybe safe code (depending on settings in the host the application is running in) .NET has a number of different types of hosts in which

applications can live, such as ASP.NET, ClickOnce, SQL, Silverlight, and so on

Prior to NET 4.0, the transparency model was used mainly for auditing purposes (Microsoft refers

to this as transparency level 1) and in conjunction with code checking tools such as FxCop

The transparency model divides code into three types:

Safe Critical Code

Safe critical code is code that might be allowed to run depending on the current host settings Safe critical code acts as a middle man/gatekeeper between transparent and critical code verifying each request An example of safe critical code is FileIO functions that might be allowed in some scenarios (such as ASP.NET) but not in others (such as Silverlight)

Critical Code

Critical code can do anything and calls such as Marshal come under this umbrella

Safe Critical Gatekeeper

Transparent code never gets to call critical code directly, but has to go via the watchful eye of safe critical code

Why Does It Matter?

If your NET 4.0 application is running in partial trust, NET 4.0 will ensure that transparent code can call only other transparent and safe critical code (the same as the Silverlight security model) When there is a call to safe critical code, a permission demand is made that results in a check of permissions allowed by the current host If your application does not have permissions, a security exception will occur

CHAPTER 4
CLR AND BCL CHANGES

Security Changes

There are a number of security changes:

• Applications that are run from Windows Explorer or network shares run in full trust This

avoids some tediousness because prior to NET 4.0 local and network applications would run with different permission sets

• Applications that run in a host (for example, ASP.NET, ClickOnce, Silverlight, and SQL CLR)

run with the permissions the host grants You thus need worry only that the host grants the

necessary permissions for your application Partial trust applications running within a host

are considered transparent applications (see following) and have various restrictions on them

NOTE Full trust applications such as ASP.NET application can still call critical code, so they are not considered transparent

• Runtime support has been removed for enforcing Deny, RequestMinimum, RequestOptional, and RequestRefuse permission requests Note that when you upgrade your applications to use

.NET 4.0, you might receive warnings and errors if your application utilizes these methods As

a last resort, you can force the runtime to use legacy CAS policy with the new NetFx40_

LegacySecurityPolicy attribute For migration options, see http://msdn.microsoft.com/

en-us/library/ee191568(VS.100).aspx

CAUTION If you are considering using the NetFx40_LegacySecurityPolicy, Shawn Farkas on the Microsoft Security team warned me that

“This will have other effects besides just re-enabling Deny, and Request*

though, so its use should generally be as a last resort In general, uses of Deny

were a latent security hole, we’ve found that most people tend to need

LegacyCasPolicy in order to continue to use the old policy APIs (CodeGroups,

etc) before they cut over to the newer sandboxing model.”

• For un-hosted code, Microsoft now recommends that security policies are applied by using

Software Restriction Policies (SRPs,), which apply to both managed and unmanaged code

Hosted code applications (e.g., ASP.NET and ClickOnce) are responsible for setting up their

own policies

SecAnnotate

SecAnnotate is a new tool contained in the NET 4.0 SDK that analyzes assemblies for transparency

violations

APTCA and Evidence

I want to highlight two other changes (that probably will not affect the majority of developers):

• Allow Partially Trusted Callers Attribute (APTCA) allows code that is partially trusted (for example, web sites) to call a fully trusted assembly and has a new constructor that allows the specification of visibility with the PartialTrustVisibilityLevel enumeration

• A new base class called Evidence has been introduced for all objects to be used that all evidence will derive from This class ensures that an evidence object is not null and is serializable A new method has also been added to the evidence list, enabling querying

of specific types of evidence rather than iterating through the collection

NOTE Thanks to Shawn Farakas of the Microsoft security team for assisting me with this section

Monitoring and Profiling

.NET 4.0 introduces a number of enhancements that enable you to monitor, debug, and handle exceptions:

• NET 4.0 allows you to obtain CPU and memory usage per application domain, which is particularly useful for ASP.NET applications (see Chapter 10)

• It is now possible to access ETW logs (no information available at time of writing) from NET

• A number of APIs have been exposed for profiling and debugging purposes

• No longer must profilers be attached at application startup; they can be added at any point These profilers have no impact and can be detached at any time

Native Image Generator (NGen)

NGen is an application that can improve the startup performance of managed applications by carrying out the JIT work normally done when the application is accessed NGen creates processor optimized machine code (images) of your application that are cached This can reduce application startup time considerably

Prior to NET 4.0, if you updated the framework or installed certain patches, it was necessary to NGen your application all over again But no longer; through a process known as “targeted” patching, regenerating images is no longer required

CHAPTER 4
CLR AND BCL CHANGES

Native Code Enhancements

I will not be covering changes to native code, so I have summarized some of the important changes here:

• Support for real-time heap analysis

• New integrated dump analysis and debugging tools

• Tlbimp shared source is available from codeplex (http://clrinterop.codeplex.com/)

• Support for 64-bit mode dump debugging has also been added

• Mixed mode 64-bit debugging is now supported, allowing you to transition from

managed to native code

Exception Handling

Exception handling has been improved in NET 4.0 with the introduction of the System.Runtime

ExceptionServices namespace, which contains classes for advanced exception handling

inevitably be handling them in a better way Additionally, there are some exceptions that should never

be caught (even by lazy developers) such as lowdown beardy stuff such as access violations and calls to illegal instructions These exceptions are potentially so dangerous that it’s best to just shut down the

application as quick as possible before it can do any further damage

So in NET 4.0, corrupted state exceptions will never be caught even if you specify a try a catch

block However, if you do want to enable catching of corrupted state exceptions application-wide (e.g.,

to route them to an error-logging class), you can add the following setting in your applications

configuration file:

LegacyCorruptedStateExceptionsPolicy=true

This behavior can also be enabled on individual methods with the following attribute:

[HandleProcessCorruptedStateExceptions]

Console.WriteLine(a * 2);

Console.ReadKey();

Surely the result is 4000000000? Running this code will give you the following answer:

-294967296

NOTE VB.NET won't even let you compile the equivalent

This issue occurs due to how this type of integer is represented in binary and the overflow that occurs After the multiplication, the number gets bigger than this type can handle, so it actually becomes negative

OK, so not many applications will need to hold values of this magnitude But for those that do, NET

4.0 introduces the BigInteger class (in the System.Numerics namespace) that can hold really big numbers

BigInteger is an immutable type with a default value of 0 with no upper or lower bounds This upper value is subject to available memory, of course, and if exceeded, an out-of-memory exception will

be thrown But seriously, what are you holding? Even the U.S national debit isn’t that big

BigIntegers can be initialized in two main ways:

BigInteger bigIntFromDouble = new BigInteger(4564564564542332);

BigInteger assignedFromDouble = (BigInteger) 4564564564542332;

BigInteger has a number of useful (and self-explanatory) methods not found in other numeric types: